[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non-root authentication of non-root users



On 6/23/02 12:07 PM -0500, Shane Beasley wrote:

> The solution that I envision seems eerily similar to pam_pwdb, which uses
> a tiny, provably secure setuid helper binary that does the authentication.
> The trouble is, it needs to be able to authenticate *any* user, not just
> the user doing the authentication. Basically, instead of the helper binary
> calling getuid(), it would receive the user name from the PAM module. It
> sounds simple enough, which is why I was hoping that someone had done this
> already. :)

This would be the optimum solution.  I looked into hacking it to do that at
one point and never did get it finished.  The solution suggested in docs
for the mod_auth_pam module for Apache is to make /etc/shadow be
group-readable to apache.  This isn't all that secure either, but it's not
quite as bad as making it world-readable, and it works until someone comes
up with a setuid helper binary that could authenticate anyone.
-- 
Dave Miller    justdave@syndicomm.com + justdave@justdave.net
Lead Software Engineer/System Administrator, Syndicomm Online
http://www.syndicomm.com/            http://www.justdave.net/





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []